Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively...
Transcript of Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively...
![Page 1: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/1.jpg)
1
![Page 2: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/2.jpg)
2
Who Are We (?)
Younes Dragoni Marina Krotofil Andrea Carcano• PhD in Industrial Cyber
Security• Sr. Security Engineer, Major
Oil and Gas Company• Co-founder and Chief Product
Officer, Nozomi Networks
• BS Information Technology• Security Researcher, Nozomi
Networks• Enthusiastic White Hat
Reverse Engineer• Member of the Global
Shapers Community (WEF)
• ICS/SCADA security professional
• Previously Principal Analyst at FireEye and Lead Cyber Security researcher at Honeywell
• Accumulated >8 years of research in cyber-physical security
ICS security researchers
![Page 3: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/3.jpg)
3
Line-up• Introduction
• Turning an ‘Undocumented Device’ into Malicious Code
• Analysis of the TRITON Modules
• DEMO: TRITON in Action‒ And how to detect it (free toolset on Github)
• Discussion and Closing Remarks
![Page 4: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/4.jpg)
4
Introduction to Industrial Control Systems (ICS)
& Safety Instrumented Systems (SIS)
https://nbn.media/signing-distributed-control-system-dcs-alwaleedia-west-cairo-stations/
![Page 5: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/5.jpg)
Industrial Control System (ICS)
5Physical process
Attacker end target
Information Technology (IT)
Operational Technology (OT)
Computer science
Engineering
![Page 6: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/6.jpg)
Industrial Control System (ICS)
6http://fukushimawatch.com/wp-content/uploads/sites/12/2016/05/Fukushima_fire_explosion_radiation.jpg
![Page 7: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/7.jpg)
Industrial Control System (ICS)
7
CYBER
PHYSICAL
![Page 8: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/8.jpg)
8https://www.arcweb.com/sites/default/files/Images/blog-images/Layers-of-Protection.png
http://
www.oseco.com
/markets/proces
sing/inde
x.cfm?app
ID=23#23
SIS
DEF
ENSE
IN D
EPTH
Hazards and Layers of Protection
![Page 9: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/9.jpg)
9
• Modern SIS are software-based systems • Best practices recommend to run SIS on a
dedicated and isolated network • SIS is sometimes connected to the Process
Control Network for data exchange, ease of maintenance, convenience, lower costs considerations, etc.
• Using multi-vendors in this critical layerincrease the risk
An attack on a safety system can cause the MOST DAMAGING outcome of a
cyber-physical attack
Safety Instrumeted Systems (SIS)
https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/
![Page 10: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/10.jpg)
10
The Milestone TRITON Security Incident
![Page 11: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/11.jpg)
11
IT
DMZ
Process Control
Network
SIS Network
Sensors and Actuators
Physical Process
SIS ControllersEngineering Station
IPC1 IPC2
Engineering Station
RDP Station
https://www.cyberark.com/threat-research-blog/anatomy-triton-malware-attack/
Attacker obtained remote access to SIS
workstation
TRITON Attack: Overview
![Page 12: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/12.jpg)
12
Attacker attempted to inject passive backdoor/remote access trojan into industrial safety controller
- Read arbitrary memory- Write into memory- Execute arbitrary code
“Your wish is my command”
imain.bin + inject.bin
TriStation protocol
Eng. Workstation
http
s://
ww
w.s
chne
ider
-el
ectr
ic.c
om/w
w/e
n/Im
ages
/tric
on-IC
-654
x654
.jpg
trilog.exe• script_test.py• library.zip• inject.bin• imain.bin
TRITON Payload: Overview
![Page 13: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/13.jpg)
The barriers for advanced ICS hacking have been surprisingly lowered!
Dedicated tools and information on the wire make the life of an hacker much easier:• Increased connectivity with IT networks and
Internet has greatly increased the attack surface‒ Shodan my friend …
• Advanced exploitation tools, frameworks and malware samples are «easy» to access
• ICS equipment and documention are «easy» to procure/get
• Number of published ICS device vulneratibilities is growing, with slow implementation of countermeasures
13
https://fofa.so/
https://github.com/NullArray/AutoSploit
https://www.shodan.io/
ICS Exploitation is No Longer for Elite
![Page 14: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/14.jpg)
14
Number of published ICS device vulneratibilities keeps growing!
ICS is under Fire!
https://ics-cert.us-cert.gov/sites/default/files/Annual_Reports/NCCIC_ICS-CERT_FY%202016_Annual_Vulnerability_Coordination_Report.pdf
![Page 15: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/15.jpg)
15
Turning an ‘Undocumented Device’ into Malicious Code
http://iom.invensys.com/EN/Pages/IOM_NewsDetail.aspx?NewsID=78
![Page 16: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/16.jpg)
16
RE of Engineering Software
• Collect information by reverse engineering the engineering software
RE of TriStation Protocol
• Be able to talk and understand the protocol of the target system is crucial
Gather Intelligence
• Collect as muchinformation aspossible
• Gain a ‘documentedview’ of the target
Build a shopping list
• Documentation• Engineering tool-set• Firmware• Controller
1 2
3 4
1
What Does a Bad Guy Have to Do to Build an Attack like TRITON?
2
3 4
![Page 17: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/17.jpg)
17
Gather Intelligence
https://www.ebay.com/itm/Triconex-User-Manuals-Tristation-Communication-Planning-Log-Termination-QuickRef/371687142744?hash=item568a47b558%3Ag%3ArI4AAOSwRLZT%7E8XY&_sacat=0&_nkw=triconex+guide&_from=R40&rt=nc&LH_TitleDesc=0
https://www.ebay.com/itm/INVENSYS-TRISTATION-1131-DEVELOPERS-WORKBENCH-4-9-0-7254-14-3000755-832-NEW-/170825998181
• Reading the manual should always the first thing To Do• Manual can be easily found
online on auction platforms, some websites or p2p sharing
1
![Page 18: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/18.jpg)
Buy or Obtain the Right Instruments: Documentation
18https://www.nrc.gov/docs/ML0932/ML093290420.pdf
![Page 19: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/19.jpg)
19
• Directly from vendor website‒ Asking the right people the right questions J
• Asset owners‒ Operations and security staff are our friends - and the
best sources of information
• Surf the Web and you’ll find interesting stuff‒ Installation CDs sold on e-commerce
‒ Loose executable & archives drifting on forums
‒ Open directories, FTP servers, etc.
You can pay for it or ask nicely…… https://it.wikipedia.org/wiki/File:LinkedIn_Logo.svg
https://www.webrankinfo.com/google/youtube.htm
Buy or Obtain the Right Instruments: Engineering toolset
![Page 20: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/20.jpg)
20
Buy or Obtain the Right Instruments: Triconex Engineering Software
![Page 21: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/21.jpg)
21
• Understanding the logic running inside the gear• Extracting the firmware without bricking the hardware
… the quicker the better …
Buy or Obtain the Right Instruments: Firmware
![Page 22: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/22.jpg)
22
• Triconex firmware manager v2.0• Just really hard to find out there• Contains all the fw versions!
Number of bricked MP: 0
Buy or Obtain the Right Instruments: Firmware
![Page 23: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/23.jpg)
23
• Alert: most ICS equipment is very expensive‒ Go for it only if you have “money in your pocket”: approx. $5-10K‒ You might want/need spares for teardown & in case you brick it
• Directly from the vendor marketplace‒ Not the cheapest way; must be a legitimate buyer
• Try eBay / Alibaba‒ Look for components, used devices or new ones with warranty. Keep in
mind the compatibility issues: put together enough to make it work!
You’re not gonna find this stuff at a yard sale or in the corner store.http://www.ilmilanista.it/wp-content/uploads/sites/24/2018/02/offerte_ebay.png
https://www.forbes.com/companies/alibaba/
Buy or Obtain the Right Instruments: The Controller (Hardware)
![Page 24: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/24.jpg)
24https://www.ebay.com/sch/i.html?_from=R40&_trksid=p2380057.m570.l1313.TR10.TRC2.A0.H0.Xtriconex.TRS2&_nkw=triconex&_sacat=0
Buy or Obtain the Right Instruments: The Controller (Hardware)
![Page 25: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/25.jpg)
25
• RE can be awesome!‒ Learn protocol structure & error
codes & juicy stuff
RE of Engineering Software
• TriStation 1131 v4.9.0 (build 117): ‒ A gold mine for the bad guys!‒ Contains all the information needed
to interact with the controller
3
![Page 26: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/26.jpg)
26
TR1HWDEF.HWD Parsed: TR1HWDEF.HWD
RE of Engineering Software
![Page 27: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/27.jpg)
27
• One User to rule them all
‒ Default user: Manager‒ Initial Level User: 1 (highest privilege)‒ Error message: “You are not authorized to
open this project because your user namewas not found in the project”
‒ …but there is a way
http://whisper.sh/whisper/05135625ddcd939615557ca0ed1cac12d73396/Is-that-you-John-Wayne-Is-this-me-#
RE of Engineering Software
![Page 28: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/28.jpg)
28
Undocumented Users
REDUCTED
RE of Engineering Software
![Page 29: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/29.jpg)
29
Debugging messages: let’s try! J
RE of Engineering Software
![Page 30: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/30.jpg)
30
RE of Engineering Software User: Manager User: TCNX_BDREDUCTED
![Page 31: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/31.jpg)
31
RE of Engineering Software
Schneider Electric acknowledges that in the 4.9.0 and earlier versions of the Tristation software, a fixed support account was used to provide our customers the best possible service.
As cybersecurity norms evolved, our product did as well.
In the 4.9.1 and later version of the Tristation software this fixed account was made public in our userdocumentation and an option (including a recommendation) to delete these fixed accounts was provided.
In today’s security-enhanced installation of the Tristation software this fixed support account no longer is present.
This includes during upgrades from older, unsecured versions of the Tristation software, to the currentsecurity-enhanced version, where the fixed support account is removed entirely.
![Page 32: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/32.jpg)
32
What to know? • Trying to understand the protocol from ground zero would take a
considerable amount of time!‒ LOTS of reverse engineering effort needed
• The current TriStation UDP/IP protocol ‘was’ little understood‒ Natively implemented through the TriStation 1131 software suite
Work smarter, not harder….
RE of TriStation Protocol 4
![Page 33: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/33.jpg)
33
TricCom.dll - Tristation 1131 TS_cnames.py - TRITON
RE of TriStation Protocol
![Page 34: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/34.jpg)
34
• Don’t need full RE, focus only on a few interesting packet types‒ Attacker does not need a full protocol parser
TricCom.dll – TriStation 1131 TS_cnames.py - TRITON
RE of TriStation Protocol
![Page 35: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/35.jpg)
35
RE of TriStation Protocol: Dissector
We built a dissector for Wireshark:
• Available on GitHub (see the link below)
• Feel free to improve it and help the community grow our knowledge
https://github.com/NozomiNetworks/tricotools
![Page 36: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/36.jpg)
36
DEMO: Triconex HoneyPot
![Page 37: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/37.jpg)
37
Analysis of the TRITON Modules
https://www.tripwire.com/state-of-security/ics-security/why-is-end-point-protection-a-big-deal-in-ics-environments/
![Page 38: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/38.jpg)
38
Stage 1: Argument-Setting Shellcode
Stage 2: Implant Installer (inject.bin)
Stage 3: Backdoor Implant (imain.bin)
Stage 4: Missing OT Payload ‒ DEMO of how it could act like
Multi-Stage Payload
![Page 39: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/39.jpg)
Multi-Stage Payload • Shellcode searches DRAM until it finds Control Program (CP) status structure, writes
attacker-supplied value to fstat field
• Attacker queries status to check for success, uses value as argument(wait time & step number) for stage 2
http
s://
ics-
cert
.us-
cert
.gov
/site
s/de
faul
t/fil
es/d
ocum
ents
/MAR
-17-
352-
01%
20Ha
tMan
%20
-%
20Sa
fety
%20
Syst
em%
20Ta
rget
ed%
20M
alw
are%
20%
28Up
date
%20
A%29
_S50
8C.P
DF
1
Control value setting program 39
![Page 40: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/40.jpg)
40
Multi-Stage Payload - fstat
https://github.com/NozomiNetworks/tricotools
![Page 41: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/41.jpg)
41
Multi-Stage Payload • Inject.bin handles the injection of imain.bin into the running firmware
http
s://
ics-
cert
.us-
cert
.gov
/site
s/de
faul
t/fil
es/d
ocum
ents
/MAR
-17-
352-
01%
20Ha
tMan
%20
-%
20Sa
fety
%20
Syst
em%
20Ta
rget
ed%
20M
alw
are%
20%
28U
pdat
e%20
A%29
_S50
8C.P
DF
2
Operation of injector
data = inject.bin + (pyaload size +8) + 0x1234 + imain.bin + (pyaload size +8) + 0x56789A
![Page 42: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/42.jpg)
42
Multi-Stage Payload • Stage 3 is a backdoor implant which ebables attacker with Read/Write/Execute
access to controller memory via custom TriStation ‘Get MP Status’ (FC: 0x1D) packet
http
s://
ics-
cert
.us-
cert
.gov
/site
s/de
faul
t/fil
es/d
ocum
ents
/MAR
-17-
352-
01%
20Ha
tMan
%20
-%
20Sa
fety
%20
Syst
em%
20Ta
rget
ed%
20M
alw
are%
20%
28Up
date
%20
A%29
_S50
8C.P
DF
3
Operation of implant
![Page 43: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/43.jpg)
43https://www.monkeyuser.com/2017/step-by-step-debugging/
Malware Execution Edge Cases
![Page 44: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/44.jpg)
44
DEMO: TRITON in Action
https://www.tripwire.com/state-of-security/wp-content/uploads/sites/3/shutterstock_614342786.jpg
![Page 45: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/45.jpg)
45
DEMO: Equipment Needed
Terminator Panel 2652-1
Compressor + balloon
Low-density chassis:
• 1.02 3008/N Tricon Enhanced Main Processor
• 1.05 4329/N/G NCM (Network Communications Module)
• 1.09 3503/E/EN Discrete Input, 24 V, 32 points
• 1.10 Marshalling Connector 2652 -310 DO
• 1.12 3604/E/EN Discrete Output, 24 VDC, 16 points
4
![Page 46: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/46.jpg)
Demo – (Un)Safety of the Process
46
Inflation/Deflation of the balloon1. Increase counter by 12. If counter == 28 then
counter = 03. If counter < 8 then
LED16 = ONelse
LED16 = OFF
![Page 47: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/47.jpg)
47
TRITON DEMO: Execution
![Page 48: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/48.jpg)
48
Nozomi TRITON toolset
Passive detection tool (dissector)
• Dissection of TriStation
proprietary protocol
• For understanding the
communication between
engineering workstation
and Triconex controller
Active detection tool
• Checks for TRITON
programs running inside
the controller
• Upload program table for
suspicious payload
Honeypot
• Replication of Triconex
system configuration
• Detection of unknown
traffic targeting SIS
network
• Tricking the enemy!
1 2
https://github.com/Noz
omiNetworks/tricotools
https://github.com/Noz
omiNetworks/tricotools
31 2 3
![Page 49: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/49.jpg)
TScksum
TScksumTRITON signature
Program
Program
TriStation 1131: Upload Program
Detection Toolset: How?
TRITON: Upload Program
49
![Page 50: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/50.jpg)
50
DEMO: TRITON Detection
![Page 51: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/51.jpg)
Sum-up
What were we able to achieve ?1. Followed the attacker footsteps to get a better idea about ICS exploits
development efforts
2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller of the targeted make and model
3. Developed a few useful tools and scripts by RE workstation software and protocol‒ Developed TritStation protocol dissector‒ Developed ‘Check for Implant’ tool‒ Developed HoneyPot
4. Developed TRITON detection approaches/tools‒ Passive and Active 51
1
2
3
4
![Page 52: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/52.jpg)
There could be several reasons why the attacker failed to inject TRITON. One possibility is attacker’s inability to manage the plurality of MPs
Why Did the Attack Fail?
From the memory dump
https://patents.google.com/patent/US8037356B2/enhttps://www.nrc.gov/docs/ML0933/ML093370294.pdf
![Page 53: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/53.jpg)
Why Did the Attack Fail?
https://patents.google.com/patent/US8037356B2/en
• A system for validating communications between a plurality of processors
• Among SX main functions:‒ Execution of user applications (control
logic)‒ Timing and synchronization control
between MPs‒ Voting on input and system data
![Page 54: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/54.jpg)
54
Discussion and Closing Remarks
https://www.i-need.de/?Artikel=136478
![Page 55: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/55.jpg)
TRITON is too expensive exploit for a simple process shutdown
• Physical damage?‒ Suppress safety intervention during
execution of a ‘damaging’ attack • ICS hacking «Olympics»?
‒ A test of capabilities / live drill?• Extortion?
‒ Political, economic? No knowledge of this, just speculation
55
Possible Attack Objectives
https://www.businesstimes.com.sg/government-economy/30000-evacuated-in-china-chemical-plant-fire
![Page 56: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/56.jpg)
56
Attack Tasks Become Incredibly Automated
1995
2000
2005
2010
2015
2018
Low
High Tools
AttachSophistication
IntruderKnowledge
AttackersPassword guessing
Self-replicating code
Password cracking
Exploiting known vulnerabilities
Disabling auditsBurglaries
Back doorsHijacking sessions
Sweepers
SniffersNetwork mgmt. diagnostics
Packet spoofing
GUI
Automated probes/scans
www attacks
“stealth” / advanced scanning techniques
Distributed attacks tools
Staged attacks
Cross site scripting attacks
Denial of service
![Page 57: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/57.jpg)
57
Implications of TRITON Code Becoming Public
• Provides a playbook and toolkit for other threat actors
• Draws the attention of the entire hacking community to industrial targets
• Alerts industrial and critical infrastructure organizations to include SIS compromise in risk assessments and defense in depth measures
![Page 58: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/58.jpg)
58
Need for Auditing/Forensics Tools
It is critical to develop auditing/forensic tools before TRITON-like exploits become common
• Auditing tools‒ Is my device potentially tampered with?
• Forensic tools‒ What exactly has happened to my device?
• Asset owners should start a dialog with the vendors
![Page 59: Black-Hat-Storytelling-Latest-Version-Latest-Version LONG ... · development efforts 2. Extensively tested TRITION implant and its capabilities in Nozomi Networks lab, on a controller](https://reader033.fdocuments.in/reader033/viewer/2022042216/5ebdcdcb9d79be23090d6a1e/html5/thumbnails/59.jpg)
Q&A
Marina [email protected]
@marmusha
Andrea [email protected]
@andreacarcano
Younes [email protected]
@br4zzorhttps://github.com/NozomiNetworks/tricotools